Ratings enable quantitative comparisons among entities (e.g., companies, students, automobiles, etc.). For example, ratings can be used by consumers to determine whether to buy from a particular company. In another example, ratings can be used by potential employees to determine whether to work at particular company. Thus, entities subject to a ratings scheme typically strive to improve their respective ratings to enhance their standing in their industry or community. One type of ratings scheme pertains to the security of an entity. Specifically, an entity (e.g., a company) can be rated based on past cybersecurity events and/or future cybersecurity risks. Aside from the company itself, there may be multiple stakeholders, e.g., insurance companies, business partners, and clients, that are invested in an improved security rating of the particular company.
Conventional methods utilize brittle rules or to use summary statistics from a vast data set to derive improvement plans. However, these methods can lead to crude or unrealistic plans for most entities.